[ndriscoll]

If it's only meant to be used for those environments, then attestation data should not be provided by default. IT can enable it on managed devices.

[growse]

It's up to the provider as to whether they provide or not. I don't think there's a "default"?

I seem to remember that apple specifically don't provide attestation details on their implementation.

[ndriscoll]

Non-default as in browsers should not provide any attestation information unless configured to via a setting in about:config (which can be automatically enabled by IT on a managed device), and mobile OSes should not provide attestation info to apps unless configured via some similarly buried setting that MDM can enable.

Basically put it there for nerds and IT where the device owner wants that extra security and coordinates with (or is) the service provider to set it up. For everyday use, it should be unavailable so that it's not used for lockin.

[growse]

Browsers should follow the spec.

Whether or not attestation data is passed onto the browser is a decision the passkey provider can make.